diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-05-03 09:28:36 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-05-03 12:58:55 +0200 |
commit | ee943f5063c9854c4ba84bdf25b272a32a409971 (patch) | |
tree | fa198123920c3bd710ea463f605f0882c4ab94c6 | |
parent | dd30b179ca0ca989b2ab18e00fa392eef5bfb677 (diff) | |
download | gnutls-ee943f5063c9854c4ba84bdf25b272a32a409971.tar.gz |
pkcs11: the flag GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be respected by imported certificates
That is, certificates imported with gnutls_pkcs11_obj_import_url() or
gnutls_x509_crt_import_url() will be able to be extracted with their
extensions overriden. Previously that was available only on gnutls_pkcs11_get_raw_issuer()
and friends.
-rw-r--r-- | lib/pkcs11.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 699d9f1c26..2b5629d1c3 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -64,6 +64,7 @@ struct find_flags_data_st { struct find_url_data_st { gnutls_pkcs11_obj_t obj; + bool overwrite_exts; /* only valid if looking for a certificate */ }; struct find_obj_data_st { @@ -1972,6 +1973,19 @@ find_obj_url_cb(struct ck_function_list *module, struct pkcs11_session_info *sin cleanup: pkcs11_find_objects_final(sinfo); + if (ret == 0 && find_data->overwrite_exts && find_data->obj->raw.size > 0) { + gnutls_datum_t spki; + rv = pkcs11_get_attribute_avalue(sinfo->module, sinfo->pks, obj, CKA_PUBLIC_KEY_INFO, &spki); + if (rv == CKR_OK) { + ret = pkcs11_override_cert_exts(sinfo, &spki, &find_data->obj->raw); + gnutls_free(spki.data); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } + } + return ret; } @@ -2024,6 +2038,10 @@ gnutls_pkcs11_obj_import_url(gnutls_pkcs11_obj_t obj, const char *url, return ret; } + if (flags & GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT) { + find_data.overwrite_exts = 1; + } + ret = _pkcs11_traverse_tokens(find_obj_url_cb, &find_data, obj->info, &obj->pin, |